🎉 DevOps Interview Prep Bundle is live — 1000+ Q&A across 20 topicsGet it →
All Articles

Loki vs CloudWatch Logs vs Datadog Logs: Log Management in 2026

Comparing Grafana Loki, AWS CloudWatch Logs, and Datadog Logs on cost, query language, integrations, and alerting. Which log management platform fits your team in 2026?

DevOpsBoys4 min read
Share:Tweet

Log management is one of those infrastructure decisions that feels low-stakes until you're paying $8,000/month for CloudWatch and realize you could have run Loki for $200. Or you're on Loki and you've spent two weeks building alerting that Datadog would have given you in an afternoon.

Here's an honest comparison of the three platforms most teams end up choosing between.

What Each Tool Actually Is

Grafana Loki is a log aggregation system designed to be cheap. It doesn't index log content — only labels (like Kubernetes pod name, namespace, container). You ship logs via Promtail or the OpenTelemetry Collector, store them in S3 or GCS, and query with LogQL. It integrates natively with Grafana.

AWS CloudWatch Logs is the default logging service for anything running on AWS. It's automatic for Lambda, ECS, EKS (with Fluent Bit), and EC2. You pay per GB ingested and stored, and query with CloudWatch Logs Insights (a SQL-like language).

Datadog Logs is part of Datadog's full observability platform. It indexes everything, offers pattern detection, anomaly alerts, and ties logs to traces and metrics. It's also the most expensive of the three at scale.

Pricing at 10 GB/Day Ingestion

PlatformIngestion CostStorage (30 days)Query CostMonthly Estimate
Loki (self-hosted on K8s + S3)~$0 infra~$23 (S3)$0~$50–150 total
Loki Cloud (Grafana managed)$0.50/GB = $150Included (30d)$0~$150
CloudWatch Logs$0.50/GB = $150$0.03/GB = ~$9$0.005/GB scanned~$175–250
Datadog Logs$0.10/GB with 15-day retentionIncludedIncluded~$900–1,200

Datadog's pricing is per GB retained, not just ingested. With 15-day retention at 10GB/day = 150GB stored × $0.10 = $1,500/month at list price. Most teams negotiate or use Flex Logs for cheaper archival.

Loki is the clear winner on cost if you have the ops bandwidth to run it.

Query Language Comparison

LogQL (Loki):

logql
# Filter logs from a specific namespace
{namespace="production", container="api"} |= "error"
 
# Parse JSON and filter on a field
{namespace="production"} | json | status_code >= 500
 
# Rate of errors over 5 minutes
rate({namespace="production"} |= "ERROR" [5m])

LogQL feels like Prometheus PromQL — familiar if you're already in the Grafana stack, unfamiliar otherwise.

CloudWatch Logs Insights:

sql
fields @timestamp, @message
| filter @message like /ERROR/
| stats count(*) as errorCount by bin(5m)
| sort @timestamp desc
| limit 50

More SQL-like, easier for developers who haven't used Loki. But queries on large datasets can be slow and expensive — each query scans data and costs $0.005/GB.

Datadog Log Search:

service:api status:error @http.status_code:>=500

Datadog's query UI is the most user-friendly. Autocomplete, faceted search, saved queries. You don't write queries so much as click and filter. For teams where non-engineers need to look at logs, this is a significant advantage.

Integration With Your Existing Stack

IntegrationLokiCloudWatchDatadog
KubernetesPromtail DaemonSet / OTel CollectorFluent Bit → CWDatadog Agent
AWS LambdaNeeds custom setupAutomaticLambda Extension
ECS/FargateNeeds FirelensAutomaticDatadog Agent sidecar
GitHub ActionsCustom exporterCustomNative integration
Grafana dashboardsNativeCloudWatch datasource pluginSeparate tool or DD UI
Alert routingAlertmanager / Grafana AlertsCloudWatch Alarms → SNSBuilt-in monitors

If you're 100% AWS, CloudWatch wins on zero-friction integration. Lambda logs just appear. ECS tasks write directly to log groups. No agents to deploy.

If you're on Kubernetes, Loki with Promtail is easy to deploy and cheap.

If you want logs correlated with APM traces, Datadog is the only one that does this out of the box.

Alerting Capabilities

Loki: Create alerts in Grafana (Grafana Alerting) using LogQL. You can alert on error rate, log line patterns, or absence of expected logs. Integrate with PagerDuty, Slack, OpsGenie. Requires setting up the alert pipeline yourself.

CloudWatch Logs: Create metric filters to turn log patterns into CloudWatch Metrics, then alarm on those metrics. Works, but multi-step setup. CloudWatch Alarms → SNS → Lambda/email/Slack.

Datadog: Best alerting experience. One screen: pick a log query, set threshold, choose notification channel. Anomaly detection, composite alerts, SLO tracking built in.

Long-Term Retention Strategy

All three struggle with long-term retention costs:

  • Loki: Archive to S3 with Loki's compactor. Query older logs with LogQL but slower. Realistic long-term cost: ~$3/GB/year on S3.
  • CloudWatch: Set log group retention (e.g., 90 days) and export older logs to S3 with a Lambda + S3 lifecycle policy. Query old logs with Athena ($5/TB scanned).
  • Datadog: Flex Logs tier for cheap archive storage (not queryable without rehydration). Rehydrating old logs costs extra.

Which Team Should Use What

ScenarioBest Choice
Startup on AWS, minimal ops teamCloudWatch — zero setup, pay as you grow
Kubernetes-native team, cost-consciousLoki — cheap, integrates with existing Grafana
Team already paying for Datadog APMDatadog Logs — correlation with traces is worth it
Multi-cloud environmentLoki or Datadog (CloudWatch is AWS-only)
Team needs logs for non-engineersDatadog — best UI by far
Large volume (>50 GB/day), cost control criticalLoki — CloudWatch and Datadog become very expensive

No single answer. CloudWatch is the default for small AWS teams who don't want to think about it. Loki is the right answer for cost-sensitive Kubernetes teams who already have Grafana. Datadog is the right answer when you need the full observability stack and budget isn't the primary concern.

🔧

Today I Fixed

Short real fixes from production — posted daily

Browse fixes
Newsletter

Stay ahead of the curve

Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.

Related Articles

Comments